Chapter 04 network security

Chapter 04 network security

Chapter 4: Network Security

CCNA Exploration 4.0

• Identify security threats to enterprise networks

• Describe methods to mitigate security threats to enterprise networks

• Configure basic router security

• Disable unused router services and interfaces

• Use the Cisco SDM one-step lockdown feature

• Manage files and software images with the Cisco IOS Integrated File

System (IFS)

Introduction to Network Security

Why is Network Security Important?

• Computer networks have grown in both size and importance in a very

short time If the security of the network is compromised, there could be serious consequences, such as loss of privacy, theft of information, and

even legal liability To make the situation even more challenging, the

types of potential threats to network security are always evolving

The Increasing Threat to Security

The Increasing Threat to Security

• Over the years, network attack tools and methods have evolved

• As the types of threats, attacks, and exploits have evolved, various terms have been coined to describe the individuals involved:

Think Like a Attacker

Seven-step process to gain information and state an attack:

• Step 1 Perform footprint analysis (reconnaissance)

• Step 2 Enumerate information

• Step 3 Manipulate users to gain access

• Step 4 Escalate privileges

• Step 5 Gather additional passwords and secrets

• Step 6 Install backdoors

• Step 7 Leverage the compromised system

Types of Computer Crime

• Insider abuse of network access

• Virus

• Mobile device theft

• Phishing where an organization is

fraudulently represented as the

• Bots within the organization

• Theft of customer or employee

• Exploiting the DNS server

of an organization

• Telecom fraud

• Sabotage

Open versus Closed Networks

Developing a Security Policy

• The first step any organization should take to

protect its data and itself from a liability

challenge is to develop a security policy: a

set of principles that guide decision-making

processes and enable leaders in an

organization to distribute authority confidently

• A security policy meets these goals:

– Informs users, staff, and managers of their

obligatory requirements for protecting

technology and information assets

– Specifies the mechanisms through which these requirements can be met

– Provides a baseline from which to acquire, configure, and audit

computer systems and networks for compliance with the policy

• A security policy can be as simple as a brief Acceptable Use Policy for

network resources, or it can be several hundred pages long and detail

Developing a Security Policy

• ISO/IEC 27002 is intended to be a common basis and practical guideline for developing organizational security standards and effective security

management practices The document consists of 12 sections:

• Risk assessment

• Security policy

• Organization of information security

• Asset management

• Human resources security

• Physical and environmental security

• Communications and operations management

• Access control

• Information systems acquisition, development, and maintenance

• Information security incident management

• Business continuity management

• Compliance

Common Security Threats

• When discussing network security, three common factors are

vulnerability, threat, and attack

Vulnerability

• Vulnerability is the degree of weakness which is inherent in every

network and device

• There are three primary vulnerabilities or weaknesses:

– Technological weaknesses

– Configuration weaknesses

– Security policy weaknesses

Vulnerabilities: Technological weaknesses

Vulnerabilities: Configuration weaknesses

Vulnerabilities: Security policy weaknesses

Common Security Threats

Threats to Physical Infrastructure

• The four classes of physical threats are:

– Hardware threats: Physical damage to servers, routers, switches, cabling plant, and workstations

– Environmental threats: Temperature extremes (too hot

or too cold) or humidity extremes (too wet or too dry)

– Electrical threats: Voltage spikes, insufficient supply

voltage (brownouts), unconditioned power (noise), and

total power loss

– Maintenance threats: Poor handling of key electrical

components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling

Physical Security Measures

Physical Security Measures

Common Security Threats: Threats to Networks

Common Security Threats: Threats to Networks

• Threats to Networks: four primary classes

• Unstructured Threats : consist of mostly inexperienced individuals

using easily available hacking tools An attacker's skills can do serious damage to a network

• Structured Threats: come from individuals or groups that are more

highly motivated and technically competent These people know system vulnerabilities and use sophisticated hacking techniques to penetrate

unsuspecting businesses

• External Threats: arise from individuals or organizations working

outside of a company who do not have authorized access to the

computer systems or network

• Internal Threats: occur when someone has authorized access to the

network with either an account or physical access

Common Security Threats: Social Engineering

• The easiest hack involves no computer skill at all

• Social engineering: an intruder can trick a member of an organization

into giving over valuable information, such as the location of files or

passwords

• Phishing is a type of social engineering attack that involves using e-mail

or other types of messages in an attempt to trick others into providing

sensitive information, such as credit card numbers or passwords

• Phishing attacks can be prevented by educating users and implementing reporting guidelines when they receive suspicious e-mail

Types of Network Attacks

• Reconnaissance

– Is the unauthorized discovery and mapping of systems,

services, or vulnerabilities.

– It is also known as information gathering and, in most

cases, it precedes another type of attack.

• Access

– Is the ability for an intruder to gain access to a device for which the intruder does not have an account or a

password.

• Denial of service (DoS)

– Is when an attacker disables or corrupts networks,

systems, or services with the intent to deny services to

intended users

• Worms, Viruses, and Trojan Horses

Reconnaissance Attacks

• Reconnaissance attacks can consist of the following:

– Internet information queries

• Two common uses of eavesdropping are as follows:

– Information gathering: Network intruders can identify

usernames, passwords, or information carried in a packet – Information theft: The theft can occur as data is

transmitted over the internal or external network The

network intruder can also steal data from networked

computers by gaining unauthorized access

Reconnaissance Attacks

• Three of the most effective methods for counteracting eavesdropping are

as follows:

– Using switched networks instead of hubs so that traffic

is not broadcast to all endpoints or network hosts.

– Using encryption that meets the data security needs of the organization without imposing an excessive burden on system resources or users.

– Implementing and enforcing a policy directive that forbids the use of protocols with known susceptibilities to

eavesdropping

• Encryption provides protection for data susceptible to eavesdropping

attacks, password crackers, or manipulation

– Another password attack method uses rainbow tables.

– A brute-force attack tool is more sophisticated

Access Attacks

Access Attacks

• Man-in-the-Middle Attack:

– Is carried out by attackers that manage to position

themselves between two legitimate hosts.

– The transparent proxy: a popular method of MITM.

DoS Attacks

• DoS attacks:

– Are the most publicized form of attack and also among

the most difficult to eliminate.

– DoS attacks take many forms

DoS Attacks

• Ping of Death:

– It took advantage of vulnerabilities in older operating

systems.

– This attack modified the IP portion of a ping packet

header to indicate that there is more data in the packet

than there actually was.

• SYN Flood:

– Exploits the TCP

three-way

handshake.

• E-mail bombs: Programs send bulk e-mails to individuals,

lists, or domains, monopolizing e-mail services

• Malicious applets: These attacks are Java, JavaScript, or

ActiveX programs that cause destruction or tie up computer resources.

DoS Attacks

DDos Attacks (cont.)

• There are three components to a DDoS attack

– There is a Client who is typically a person who launches the attack.

– A Handler is a compromised host that is running the

attacker program and each Handler is capable of

controlling multiple Agents

– An Agent is a compromised host that is running the

attacker program and is responsible for generating a

stream of packets that is directed toward the intended

victim

• Examples of DDoS attacks include the following: SMURF attack, Tribe

flood network (TFN), Stacheldraht, MyDoom

DoS Attacks

Malicious Code Attacks: Worms

• The enabling vulnerability: A worm installs itself by exploiting

known vulnerabilities in systems, such as naive end users who

open unverified executable attachments in e-mails.

• Propagation mechanism: After gaining access to a host, a worm

copies itself to that host and then selects new targets

• Payload: Once a host is infected with a worm, the attacker has

access to the host, often as a privileged user Attackers could use

a local exploit to escalate their privilege level to administrator

Malicious Code Attacks: Worms

• Worm attack mitigation requires diligence on the part of system and

network administration staff

• The following are the recommended steps for worm attack mitigation:

– Containment: Contain the spread of the worm in and

within the network Compartmentalize uninfected parts of the network.

– Inoculation: Start patching all systems and, if possible,

scanning for vulnerable systems.

– Quarantine: Track down each infected machine inside

the network Disconnect, remove, or block infected

machines from the network.

– Treatment: Clean and patch each infected system Some worms may require complete core system reinstallations

to clean the system.

Malicious Code Attacks: Viruses and Trojan Horses

• A virus is malicious software that is attached to another program to

execute a particular unwanted function on a workstation

• A Trojan horse is different only in that the entire application was written

to look like something else, when in fact it is an attack tool

Host and Server Based Security

turned off and uninstalled, when possible.

• Antivirus Software

– It scans files, comparing their contents to known viruses

in a virus dictionary Matches are flagged in a manner

defined by the end user.

– It monitors suspicious processes running on a host that

might indicate infection This monitoring may include data captures, port monitoring, and other methods.

Host and Server Based Security

• Personal Firewall

• Operating System Patches

Intrusion Detection and Prevention

• Intrusion detection systems (IDS) detect attacks against a network

and send logs to a management console

• Intrusion prevention systems (IPS) prevent attacks against the

network and should provide the following active defense mechanisms in addition to detection:

– Prevention: Stops the detected attack from executing

– Reaction: Immunizes the system from future attacks from

a malicious source

Intrusion Detection and Prevention

Host-based Intrusion Detection Systems

• Implemented as inline or passive technology

• Passive technology, which was the first generation technology, is called

a host-based intrusion detection system (HIDS) HIDS sends logs to

a management console after the attack has occurred and the damage is done

• Inline technology, called a host-based intrusion prevention system

(HIPS), actually stops the attack, prevents damage, and blocks the

propagation of worms and viruses

Common Security Appliances and Applications

• Security is a top consideration whenever planning a network

• Threat control: Regulates network access, isolates infected systems,

prevents intrusions, and protects assets by counteracting malicious

traffic, such as worms and viruses Devices that provide threat control

solutions are:

– Cisco ASA 5500 Series Adaptive Security Appliances

– Integrated Services Routers (ISR)

– Network Admission Control

– Cisco Security Agent for Desktops

– Cisco Intrusion Prevention Systems

Common Security Appliances and Applications

• Secure communications: Secures network endpoints with VPN The

devices that allow an organization to deploy VPN are Cisco ISR routers with Cisco IOS VPN solution, and the Cisco 5500 ASA and Cisco

Catalyst 6500 switches

• Network admission control (NAC): Provides a roles-based method of

preventing unauthorized access to a network Cisco offers a NAC

appliance

• Cisco IOS Software on Cisco Integrated Services Routers (ISRs)

– Cisco provides many of the required security measures

for customers within the Cisco IOS software Cisco IOS

software provides built-in Cisco IOS Firewall, IPsec, SSL VPN, and IPS services.

Common Security Appliances and Applications

The Network Security Wheel

• Most security incidents occur because system administrators do not implement available countermeasures, and attackers or disgruntled

employees exploit the oversight

• The Security Wheel has proven to be an effective approach

• The Security Wheel promotes retesting and reapplying updated security measures on a continuous basis

• A security policy includes the following:

– Identifies the security objectives of the organization

– Documents the resources to be protected

– Identifies the network infrastructure with current maps

and inventories

– Identifies the critical resources that need to be protected, such as research and development, finance, and human resources This is called a risk analysis.

The Network Security Wheel

• Intrusion prevention systems

• Vulnerability patching

• Disable unnecessary services

Security Policy

Test

SecureStep 1: Secure

• Threat defense

• Stateful inspection and

packet filtering: Filter

network traffic to allow

only valid traffic and

services.

The Network Security Wheel

Step 1: Secure (Cont.)

The Enterprise Security Policy

• A security policy is a set of guidelines established to safeguard the

network from attacks, both from inside and outside a company

• Security policy benefits:

– Provides a means to audit existing network security and compare the requirements to what is in place.

– Plan security improvements, including equipment,

software, and procedures.

– Defines the roles and responsibilities of the company

executives, administrators, and users.

– Defines which behavior is and is not allowed.

– Defines a process for handling network security incidents. – Enables global security implementation and enforcement

by acting as a standard between sites.

– Creates a basis for legal action if necessary.

Functions of a Security Policy

• Functions of a Security Policy:

• The security policy is for everyone, including employees, contractors,

suppliers, and customers who have access to the network